Showing results for 
Search instead for 
Did you mean: 

Cisco AnyConnect Secure Mobility Client on OS X Yosemite - VPN not working if the Mac is connected via Iphone HotSpot

I have encounter a starange situation with Yosemite and Cisco AnyConnect Secure Mobility Client (all recent versions including latest 3.1.05187).

If the mac is using the internet connection of the iPhone (via Bluetooth or WiFi), when I connect with the client everything stops working, from the Internet to the traffic over the tunnel, we are using Split Tunnel with Split DNS for our internal addresses. Somehow the DNS is not working anymore.

I can ping via IP but not by name, also cannot ping any address from internet unless I add again manually the default route.


Anybody encounter this problem?   


All - I have a solution for this problem. 

In your AnyConnect Group Policy, go to Advanced > Split Tunneling

for "DNS Names" uncheck "inherit" and manually define your LAN's internal DNS domain name.

for "Send All DNS Lookups Through Tunnel" uncheck "inherit" and manually select "no".  

For reasons I've not yet figured out, Yosemite does not like tunneling all DNS lookups through the tunnel. 

If this is a sticking point for your environment, you may need to define a separate Group Policy for your OS X users until Cisco/Apple figure out their bug.

Good luck!



Sorry, but this does not solve the issue for us.  This is the exact configuration we already have and we have had it from the beginning of this problem appearing.  This is clearly an incompatibility with Anyconnect and Yosemite.  The ONLY success I have had is with a pocket router in between my iPhone Hotspot and my laptop running Yosemite.  It is an ugly hack, but at least I am portable(ish) again.


Hi David -

i used this solution for 6 different customers of mine today and it universally solved it. Check your splittunnel settings   across the board as well as DNS and domain name related bits in your group profile. Feel free to post your webvpn config too. 


Tim - I have the same configuration as razvan1979 and it does not work


Which AnyConnect and OS X versions? I'm on 3.1.06073 and 10.10.1 respectively. 


Hello Tim,

I have the same version mate, exactly the same, maybe something is missing in my config! 

PING ( 56 data bytes
ping: sendto: No route to host
ping: sendto: No route to host
Request timeout for icmp_seq 0
ping: sendto: No route to host
Request timeout for icmp_seq 1
ping: sendto: No route to host
Request timeout for icmp_seq 2
ping: sendto: No route to host
Request timeout for icmp_seq 3
ping: sendto: No route to host
Request timeout for icmp_seq 4
--- ping statistics ---
6 packets transmitted, 0 packets received, 100.0% packet loss

cat /etc/resolv.conf
cat: /etc/resolv.conf: No such file or directory

group-policy GP-XXX internal
group-policy GP-XXX attributes
 dns-server value 172.xx.xx.xx 10.xx.xx.xx
 vpn-simultaneous-logins 2
 vpn-idle-timeout 60
 vpn-filter value ACL-XXX
 vpn-tunnel-protocol ikev2 ssl-client
 group-lock value TN-XXX
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value SPLITUNNEL
 split-dns value  hs2 dc2 office qxlint
 address-pools value VPNPOOL-XXX








I've managed to get the "split-tunnel-all-dns disable" workaround working on one of my ASAs, but not on the other. Apparently, asa version 9.0 or better is required.


More detail in recent post here:


Strange because I have this type of config from the start, because we use Split-DNS!


hi tim can you please guide me to find AnyConnect Group Policy for me to try the solution


As above OS X 10.10.2 AnyConnect 3.1.07021 iOS 8.2 - tethered (hotspot) connection. Adding the local domain name/DNS lookup setting (which is unchanged in this instance) as per tim.economides suggestion appears to resolve the issue (after initial testing)!


Same issue here.   As an end user, I apparently don't have access to the Group Policy to edit it.


I think tethering + AnyConnect is working for me again with the recent iOS 8.2 update!


OS X 10.10.2 AnyConnect 3.1.07021 iOS 8.2 - tethered (hotspot) connection - when VPN active - Internet/DNS/Local Network unavailable - the problem is still as per razvan1979's original observation.



Seems that we have a solution. Try to follow this picture to enable client bypass protocol. It works for us


enter "client-bypass-protocol enable" in group-policy attributes section using CLI

View solution in original post


This would require an expensive update for us. What version ASDM are you running?